From patchwork Tue Nov 23 11:50:52 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ruchika Gupta X-Patchwork-Id: 519312 Delivered-To: patch@linaro.org Received: by 2002:ac0:c605:0:0:0:0:0 with SMTP id p5csp8502824imj; Tue, 23 Nov 2021 03:51:53 -0800 (PST) X-Google-Smtp-Source: ABdhPJxKf6hjKgrhgu+QjYQheYDUMBl4RqzFlXDkzDoYkHvOITqJtW4ymQM7ZchNi+j7V+OroN6T X-Received: by 2002:a17:907:1c0a:: with SMTP id nc10mr6918979ejc.211.1637668313403; Tue, 23 Nov 2021 03:51:53 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1637668313; cv=none; d=google.com; s=arc-20160816; b=Co06iBDVLxFCvxRkYSzbVSsUqUsr3z/X2Fq0rMRnLR1eQhwxojnaivzdgAC2f3ZXFJ a4V6CkwxNg2MAbKRxDH/DSWR4fqm67Xl5ohGCCAEK1wt7ybS4xLfLDZoxYhoMw5W1qk2 XheAq4lo0ABmkUsLEIIW8EcdyXufGBL5FjaGwZwpR+tFUWcWfQtoZKo4lRC6FEm4+nr2 14CbeAj3yUIxD6K+zYJvWsr/K0bgQcVO2EGTAiEO9hMiVc82LSN04QRmS3AW5Ed8TqZM TZm6hpwwXfz8n7eavZVTUZ8o4Bx7zrI6Vmpu+lkYz4EkCBiCNTmFvEJmMEimuYdHzBDl B2uw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:content-transfer-encoding :mime-version:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=THJOraiVv0uCtQt1waG8A1icDvTUH8J71myKCCEdGS4=; b=F9JmwhihLXhRWs9UQ8dGytbcRuMmL0qnzm4grANYgkjNnO5dTyJNDvHrShc3mf+H0K srYoTyLCOOsbc/2IWM/4jPRaitKJR217mTfJYSjfDpOYd3Kq3FbhNxz2/CaYq0zMTcsY 7l8W+hRWtTJpB/p/I+tusZzcCWfISnF5ZngNSmTA+lEVmd3Zq5j3hcm4IIOMgWnDzfhR ZoidpKNRmQqw3HFbpaS0/Q+CGOdGv8iq0cPs4dOd+9Lca1u+LdYrkAJ5ZniQP3eiPUTJ Evo1O1IiJFQlIxIjs3tdgdiq3GYJXT1ICXRccgBYgQoTRxjzbm1yORzGoEFnOpzKaL5T mJJA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=rFXD5+lS; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [85.214.62.61]) by mx.google.com with ESMTPS id dz10si40722817edb.316.2021.11.23.03.51.53 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 23 Nov 2021 03:51:53 -0800 (PST) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) client-ip=85.214.62.61; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=rFXD5+lS; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 02523836BD; Tue, 23 Nov 2021 12:51:38 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="rFXD5+lS"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id 487C48352B; Tue, 23 Nov 2021 12:51:33 +0100 (CET) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.2 Received: from mail-pl1-x630.google.com (mail-pl1-x630.google.com [IPv6:2607:f8b0:4864:20::630]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id D5A9882F70 for ; Tue, 23 Nov 2021 12:51:28 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=ruchika.gupta@linaro.org Received: by mail-pl1-x630.google.com with SMTP id q17so16826692plr.11 for ; Tue, 23 Nov 2021 03:51:28 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=THJOraiVv0uCtQt1waG8A1icDvTUH8J71myKCCEdGS4=; b=rFXD5+lSiawT7tVMLfMjmSvbDtTvW+ioxJEdNKH6Gj3Kwo2k9bunbGFQKQ6aZ2MxHd o/ZiwJMPEKZtWWs+QoB2/xI4Ww5oW+l+zhDmbK7M+hw1vK2FTsFLuXPYWrYVan583xak EOez3sGfT2PVjYfNHERxkZnObDWXkZ1aNU0M8MAT7c4Y+uWxmjGM35YRJikiHhf8ZNoh qtT7AHD5lCqkjF2AvBivo0xwxMqsrKAa67B2FtK9E1PTui30+fIVdyq7S5FmlUdL9X3C UrsSgADkIpyZcRZsA3S1E2sZ/okgPfI2rBh765bTl3/l0v22/uDhaUqBfIO2TJ3f/qXs c8Kg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=THJOraiVv0uCtQt1waG8A1icDvTUH8J71myKCCEdGS4=; b=uyHuAZkpJFx7qJhdJpuBuATldlrbkqFFc7EVNeC86rjPEvdiHrS0JUAvInQEnxJuSy CH/3UOCHOz/PnLMtUy6jjApCcfFBwvd70wuyS8TM0gzFSUumNce5sPX3fQiCxw4PH2w4 EWCoHuRlxiSPXtHVDKi/x6dprIKmqGNPpXE09FtgCpSdUYS2nRVWa3K2LIZuIm/Qg8uf oMd5RRNoo7GtmGWdOOVZNx2nBNvAWQqPjP/yUfi+RlmrySy7T9GIjHGFtxlIgs/MQYyP z9vVUQWQwk7L4wlifUiwshR0Y2rKchS3SGhi27JN5tv+McXsMx0eHikNoT5xeuoqFrK6 gtEg== X-Gm-Message-State: AOAM533DUq7FLRQ9IwBWLvFs0BC2ysQauWvo2Ou16EloyN2RFsf1hpmr FJWqQmbhEejyhnm/yQ+Lu2sfcMuqfWMVvw== X-Received: by 2002:a17:90b:1c87:: with SMTP id oo7mr2048928pjb.159.1637668286838; Tue, 23 Nov 2021 03:51:26 -0800 (PST) Received: from localhost.localdomain ([106.215.91.146]) by smtp.gmail.com with ESMTPSA id p66sm9159468pga.31.2021.11.23.03.51.25 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 23 Nov 2021 03:51:26 -0800 (PST) From: Ruchika Gupta To: u-boot@lists.denx.de Cc: Ruchika Gupta Subject: [v2] [PATCH 3/3] efi_loader: Extend PCR's for firmware measurements Date: Tue, 23 Nov 2021 17:20:52 +0530 Message-Id: <20211123115052.124941-3-ruchika.gupta@linaro.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20211123115052.124941-1-ruchika.gupta@linaro.org> References: <20211123115052.124941-1-ruchika.gupta@linaro.org> MIME-Version: 1.0 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.37 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.2 at phobos.denx.de X-Virus-Status: Clean Firmwares before U-Boot may be capable of doing tpm measurements and passing them to U-Boot in the form of eventlog. However there may be scenarios where the firmwares don't have TPM driver and are not capable of extending the measurements in the PCRs. Based on TCG spec, if previous firnware has extended PCR's, PCR0 would not be 0. So, read the PCR0 to determine if the PCR's need to be extended as eventlog is parsed or not. Signed-off-by: Ruchika Gupta --- v2 : Removed check for PCR0 in eventlog lib/efi_loader/efi_tcg2.c | 77 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 77 insertions(+) diff --git a/lib/efi_loader/efi_tcg2.c b/lib/efi_loader/efi_tcg2.c index c3ebdf92f5..133fe8291a 100644 --- a/lib/efi_loader/efi_tcg2.c +++ b/lib/efi_loader/efi_tcg2.c @@ -199,6 +199,43 @@ static efi_status_t tcg2_pcr_extend(struct udevice *dev, u32 pcr_index, return EFI_SUCCESS; } +/* tcg2_pcr_read - Read PCRs for a TPM2 device for a given tpml_digest_values + * + * @dev: device + * @digest_list: list of digest algorithms to extend + * + * @Return: status code + */ +static efi_status_t tcg2_pcr_read(struct udevice *dev, u32 pcr_index, + struct tpml_digest_values *digest_list) +{ + struct tpm_chip_priv *priv; + unsigned int updates, pcr_select_min; + u32 rc; + size_t i; + + priv = dev_get_uclass_priv(dev); + if (!priv) + return EFI_DEVICE_ERROR; + + pcr_select_min = priv->pcr_select_min; + + for (i = 0; i < digest_list->count; i++) { + u16 hash_alg = digest_list->digests[i].hash_alg; + u8 *digest = (u8 *)&digest_list->digests[i].digest; + + rc = tpm2_pcr_read(dev, pcr_index, pcr_select_min, + hash_alg, digest, alg_to_len(hash_alg), + &updates); + if (rc) { + EFI_PRINT("Failed to read PCR\n"); + return EFI_DEVICE_ERROR; + } + } + + return EFI_SUCCESS; +} + /* put_event - Append an agile event to an eventlog * * @pcr_index: PCR index @@ -1427,6 +1464,8 @@ efi_status_t tcg2_get_fw_eventlog(struct udevice *dev, void *log_buffer, u32 pcr, pos; u64 base; u32 sz; + bool extend_pcr = false; + int i; ret = platform_get_eventlog(dev, &base, &sz); if (ret == EFI_SUCCESS) { @@ -1447,6 +1486,26 @@ efi_status_t tcg2_get_fw_eventlog(struct udevice *dev, void *log_buffer, return EFI_COMPROMISED_DATA; } + ret = tcg2_pcr_read(dev, 0, &digest_list); + if (ret) { + log_err("Error reading PCR 0\n"); + return ret; + } + + /* + * If PCR0 is 0, previous firmware didn't have the capability + * to extend the PCR. In this scenario, extend the PCR as + * the eventlog is parsed. + */ + for (i = 0; i < digest_list.count; i++) { + u8 buffer[TPM2_DIGEST_LEN] = { 0 }; + u16 hash_alg = digest_list.digests[i].hash_alg; + + if (!memcmp((u8 *)&digest_list.digests[i].digest, + buffer, alg_to_len(hash_alg))) + extend_pcr = true; + } + while (pos < sz) { ret = tcg2_parse_event(dev, buffer, sz, &pos, &digest_list, &pcr); @@ -1454,6 +1513,24 @@ efi_status_t tcg2_get_fw_eventlog(struct udevice *dev, void *log_buffer, log_err("Error parsing event\n"); return ret; } + + if (extend_pcr) { + ret = tcg2_pcr_extend(dev, pcr, &digest_list); + if (ret != EFI_SUCCESS) { + log_err("Error in extending PCR\n"); + return ret; + } + + /* Clear the digest for next event */ + for (i = 0; i < digest_list.count; i++) { + u16 hash_alg = + digest_list.digests[i].hash_alg; + u8 *digest = + (u8 *)&digest_list.digests[i].digest; + + memset(digest, 0, alg_to_len(hash_alg)); + } + } } memcpy(log_buffer, buffer, sz);